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A method and apparatus for ensuring secure com- 
munication over an unsecured communications medium 
between a user working on an unsecured workstation or 
computer and a host computer. A secure user interface is 
created by inserting a trusted path subsystem between in- 
put/output devices to the workstation and the workstation 
itself. Data transferred from the input/output devices is 
intercepted, encrypted and transmitted in packets to the 
host computer. Packets of screen display data from the 
host computer are decrypted and presented within a user- 
defined screen overlay. 
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TRUSTED PATH SUBSYSTEM FOR WORKSTATIONS 

5 Background of the Invention 

Field of the Invention 

The present invention relates to an apparatus 
and method for providing a trusted computer system based 
on untrusted computers, and more particularly to an 
10 apparatus and method for providing a trusted path 

mechanism between a user node based on an untrusted 
computer or workstation and a trusted subsystem. 

Background Information 

15 Advances in computer and communications 

technology have increased the free flow of information 
within networked computer systems . While a boon to 
many, such a free flow of information can be disastrous 
to those systems which process sensitive or classified 

20 information* In response to this threat, trusted 

computing systems have been proposed for limiting access 
to classified information to those who have a sufficient 
level of clearance. Such systems depend on identifying 
the user, authenticating (through password, biometrics, 

25 etc.) the user's identity and limiting that user's 

access to files to those files over which he or she has 
access rights*. In addition, a trusted path mechanism is 
provided ! which guarantees that a communication path 
established between the Trusted Computer Base (TCB) and 

30 the user cannot be emulated or listened to by malicious' 
hardware or software. Such a! system is described in 
U.S. Patent >Nos. 4,621,321; 4>713,^53; and 4,701/840 

J'. ■ - ..!r : - Hi . \ • V 

granted to Boebert et al . and &ssicjfned to the present v 
assignee', the ent±re ,,c -discldsur^& o¥ which, are r h^r f eby J 
35 incorporated by reference! f - ^ V — ."■„; 

rpke i as t: decade has marked; a shift in the 
distributing of computational resources. Instead of 
connecting a large number of relatively "dumb" terminals 
to a mainframe computer, the automatic data processing 
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environment has gradually shifted . to. where a large 
number of current systems are file server systems * In a 
. file, server system, relatively low. cost computers are 
placed at each user's desk while printers and high 
5 capacity data storage .devices are located near the 

server or servers. Files stored in the high capacity 
.data storage devices: are transferred to. the user's 
computer for -processing and then either saved in local 
storage or transferred back to the storage devices. 
10 Documents tQ.be f printed are transferred as files to a 

print server; the print s.e.ryer then manages tl>e printing 
of the document. > ■ 

An even more loosely coupled distributed 
computing approach is based on the client-server 
15 paradigm. Under the client-server paradigm, one or more 
client processes operating on a user's workstation gain 
access to one . pr more server, processes operating on the 
network;. As in file server systems, the client 
processes handle the user interface while the server 
20 processes handle storage and printing of files. In 

contrast with file server systems , however, the client 
processes and . the server processes share .data processing 
responsibilities , A more complete .discussion of - . 
distributed computing is contained in "Client-Server 
25 Computing"; by Alok Sinha, published in the July 1992 
issue of Communications of the ACM. ; 

r v . Both the file server ... ar^d the. client-server 
. paradigms depend heavily upon, the availability of; low- 
cost computer systems which can be placed at each user's 
30 desk. The low-cpft systems are. then connected through a; 
^^^pr^guch.j^s^A^Ij^, or : a WAN, to, the server, systems . 
Sucb a r ne^work^d ; system i^ illustrated in the block 
diagram ^hpwp^i& F^g^l^ ; , v n <. o. r ' 

. ,. ;i . r , unit 40 , is 

35 connected through ja f network 50 to a host computer 60. 
f Workstation unit 40 is also connected through video port 
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44 and keyboard port 4 6 to display unit 10 and keyboard 
20, respectively.^ 

In a typical distributed computer system, the 
workstations 40, the host computers 60 and the 
5 connecting networks 50 are all at great risk of a 

security breach. r Trusted computer systems based on host 
computers such as the Multilevel Secure (MliS) Computer 
60 shown In Pig. I make security 'breaches at the host 
computer more : 'di£f ictift by partitioning the system to 

10 isolate security critical (trusted) subsystems from 
nonsecurity critical' (urttruisted) subsystems. Such 
computers do little, however, to prevent Security 
breaches on network 50 or" at user workstation 40. 

A Multi-Level Secure (MLS) Computer such as is 

15 shown in Fig. lis capable of recognizing data of 

1 varying sensitivity and" users of varying ^authorizations 
and ensuririg that users gain access to only that data to 
which they are ! authoiri zed . For example, an MLS computer 
cah recognize the difference between compaiiiy proprietary 

20 and public data. 1 It can also distinguish between users 
who are company employees and those who aire customed. 
The MLS computer can therefore be Vised td 'ensure that 
company prdprietary data is available' only to users who 
are company^ employees . 

25 Designers of MLS computers assume that 

unauthorized individuals ' will use a variety of means, 
such as malicious code 5 and active and passive wiretaps, 
tb circumvent its controls . The trusted subsystem of an 
MLS dbmputer must therefore *be 1 designed to withstand 

30 malicious software executing ; dn the iintriis ted subsystem, 
to conf ihe th£ kctibns of /; ihalicious lL s6f twai"e u and render 
t hem harmles s 1 One' mechahisrh 1 f br ^vdi&iAg -malicious 
software is to invoke a trusted path? a f s&cSre : - - : ' 
communications path betweten 'the user ' and 1 the ' trusted 

35 subsystem. A properly designed trusted 5 jpafch ensures 

that information viewed or £ent to the trusted subsystem 
is not copied or modified along the way. 
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Extension of the trusted path , through the network to the 
user is, however, difficult. As is described in a 
previously filed, commonly owned U.S. patent application 
entitled "Secure Computer Interface" (U.S. Patent 
5 Application No. 07/676,885 filed March 28, 1991 by 
William E. Boebert) , . "active" and, "passive" network 
attacks can -be. . used to breach .network security . Active 
attacks are those. in which masquerading "imposter" 
hardware or software is inserted ^ nt ;° .-^he network; 

10 communications, link. For, example f .hardware might be 
inserted that emulates a user with extensive access 
privileges in order to access sensitive information . .„ 
"Passive" network attacks include those in which a 
device listens, to data on the link, . copies that data and 

15 sends it to another user. A system for ensuring secure 
data communications over an unsecured- network , is 
: described in the above-ridentif ied patent application. 
That application is hereby incorporated by , reference. 

Active and passive attacks can also be used to 

20 breach computer security through software running on an 
untrusted user computer, an unt rus ted , host or in the 
untrusted subsystem of a Multilevel Secure Computer. 
For example, malicious software running in the 
workstation could present itself to an authorized user 

25 as the trusted subsystem, and cause that user to enter 
highly sensitive data, such as a password. The data is 
then captured and given to the attacker. Under a 
passive software attack, data which is : intended for one 
usep cpuld- be. copied, and sent to, a user who is not * 

30 authorized 5 tp .work. w&t&i it . , ; , 1 

oar Systems^ fior> ensuring^ secure .communications oyer 
an unsecured , n^tjieorjc:, have been limited *to date to / , 
, scrambling;^ ^^4^&^¥^ c i> : :-^ cr yP^'.: data; written to-, the ; 
netwprk, a^nd^ dec^jrpt;- data- received from the network. .- ; -, 

35 Such system^ ^imit^d in : that they provide no t 

assurance that the-user/s computer is secure or that , the 
user has, in fact, established a trusted path to the 
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trusted subsystem*; - Therefore, despite the fact that the 
communications link is secure, it is possible for a user 
on the computer to be misled into believing that a 
program executing bn his computer is actually running on 
5 the host computer • — ■ ^' •• 

What Is heeded is a mechanism for extending the 
trusted path from -the trusted subsystem of the -host ;> 
computer t6 the 'user -of an untrusted computer or 
workstation. C ; Such a method should provide access to the 
10 wbirkstation f 6t normal workstation activities while 

shielding confidential 'data ; so that it cannot be read by 
software executing oh the- unsecured workstation . 

Summary of the Invention 

15 The present invention provides' a method and 

apparatus for ensuring secure communication over an 
unsecured communications medium between a us£r working 
on £n unsecured workstation 6r computer and a host 
computer. A secure user interface is createci by 

20 inserting a trusted path subsystem between input/output 1 
devices to the workstation and the H/orkstation itself . 
Dat a trans feirred frbm the input /output devices i s 
intercepted, eiicrypted and transhiittefci in packets to the 
host computer 1 . Packets o£ screen display data from the 

25 host computer are decrypted 1 and presented within a* user- x 
'defined screen overlay. ? '' 

According c to another aspect of the present 
invention /a method is disclosed for ensuring secure 
file 'transfers between- an unsecured workstation and a 

30 host computer. A file to be trahs'f erafeid -±b downloaded 
to a 1 trusted pa tli subsystem insext^^ between'' the 
works tat iori~ and its : keybbarci and 1 rfi^pl^y de v^ce 0 .^ : The" 
trusted path' subsystem presents 0 b d ^e^ 
file on the display^ dfevice wh^ 

35 that the -file" is as expiected. The^ Verified file is then L 
encrypted and transferred as packets' to the host K "' - 
computer. ■ ^.^ - 



WO 94/01821 



PCT/US93/06511 



5 



Brief Description of the Drawings 
FIG. 1 is a system level block diagram 
representation of a networked computer system. 

FIG. 2 is a system level block diagram 
representation of a secure networked computer system 
according to the present invention. 

10 FIG. 3 is a block diagram representation of a 

user node including a trusted path subsystem according 
to the present invention 



FIG. 4 is a block diagram representation of a 
15 user node including a different, embodiment of a trusted 
path subsystem according to the present invention. 

FIG. 5 is an electrical block diagram 
representation of one embodiment of the trusted path 
20 subsystem according to the present invention. 

FIG. 6 is a representation of a secure window 
overlay according to the present invention. 

i ■■ ■■ • ^ ... > ■ j. -. ." , .- '. ■ : - ; • . ■*. o;'. - 

25 Detailed Description of the 

Preferred ^Embodiments ' J 

Ih the' following Detailed Description J of the 

Preferred Embodiments, reference is bade to the v iC 

accompanyirig ^Drawings Which'-forirt a part hereof, and in 

30 which are shown by way -of ^" illustration : specif^LC ; " ^ 

embodiments ; in 0 'irh±cK* tlie invention may be practiced. It 
is to 1S& VLiixidx embodiments' may beP ^ 

utiliztecl ^nd strife be made without" c 

'depaft : ii®5* : '^£rb# %lfe ^cbpe 6i the pfr&sent invention. 

35 - ^'^The 1 pfeS^ri^ provides a method hnii * 

apparatus f bi: ensuring secure communication over an " 
unsecured cbmmunications medium' between a user working 
on an unsecured workstation or computer and a host 
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computer. A secure user interface is created by 
inserting a trusted path subsystem between input /output 
devices to the workstation and the workstation itself. 
Data transferred from the input /output devices is 
5 intercepted, encrypted and transmitted in packets 

through the workstation to the host computer. Packets 
of screen display data from the host computer are 
decrypted and presented within a user-defined screen 
overlay . 

10 Cryptographic entities in the trusted path 

subsystem and the host computer apply end-to-end 
encryption to confidential data transferred to and from 
the network. End-to-end encryption is a technique 
whereby data is encrypted as close to its source as 

15 possible and decrypted only at its ultimate destination. 
This technique differs from link encryption, in which 
data is decrypted, then encrypted again as it moves from 
the sender to the receiver. 

The present invention extends the notion of 

20 end-to-end encryption by performing the 

encryption/decryption closer to the originator and 
receiver than prior systems. In the present invention, 
the encrypt ion/decrypt ion is performed as the data 
enters and leaves the input /output device. The data is 

25 therefore protected ffoni malicious software which might 
be { opiating on the workstation and from active or 
passive , attacks on th^ network. . 

• r A (Secure networked qomputer system constructed 
according :tp ; the present -invention is illustrated 

30 ( generally in F,ig. 2 In Fig. u2., r a workstation - . , 

processing ... unit. ,4.0 is. connected .through. a, : network 5 0, to 
a host computer 60. Workstation --^^^lf^^%r§PY>iit^^P^i^ Gr y 
works; tat ion or X n terminal which, .-h^ ^^p^ate jdat^a path 
f or. ^communication between . a t .trusted. ^ath, subsystem 30 

35 and the workstation. . For instance^ .workstation 40 can 
be a commercially available .workstation such as the UNIX 
workstations manufactured by. Sun. .Microsystems, Mountain 
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View, California, an IBM PC compatible such as those 
available from Compaq, Houston, Texas or an X terminal 
such as Model NCD19g from Network Computing Devices, 
Inc, Mountain View, California. 
5 Trusted path subsystem 30 is connected to 

workstation 4 0 (through ..auxiliary data port 42), 
keyboard 20 and display 10. Trusted path subsystem 30 
includes cryptographic entity 35 for .encrypting and 
decrypting .information .transferred between display 10 , 

1Q keyboard 20 and wprkstation 40. 7 , x 

Host computer 60 , is, a Multi-Level Secure 
computer which includes a , trusted subsystem 67 and an 
untrus ted subsystem 63* Trusted subsystem 67 includes a 
cryptographic entity 69 for encrypting and. decrypting 

15 data transferred between trusted subsystem 67, untrusted 
subsystem 63, and network .50. In another embodiment of 
the present invention, host computer 60 is a computer 
running a trusted subsystem, software package. In that 
embodiment, cryptographic entity 69 would be implemented 

20 in software., f 
In the embodiment shown in Fig. 2, alJL 
communication between trusted path subsystem 30 and host 
computer 60 is done via workstation 40. In one such 
embodiment, auxiliary data port 42 is an. RS-232 liiie 

25 connecting workstation 40 and subsystem 3.0. 

Communications, software running on workstation^ 40 . 
receives encrypted packets from the trusted path 
subsystem and sends them to the host computer. In a 
. like manner, encrypted packets from host r computer 6,0 are 

30 received Jby. workstation 4,0, £tnd transferred to subsystem 
30 for ,dec^pting 4 ^ n Tl>is jtyp.e of interface is ; :J , 
advantageous, sinc^ a standard communications protocol. 
. pan bje^ defjiped f^r^ ^yansf e^Sj between^ subsystem 30 and 
host cpmputer^ 6.p . . Workstation : 40 then implements the : „ 

35 standard^ pgcptpc9l fpr the communications media , ^ 
.connecting it tq host computer 60. f . 
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Network 50 can be implemented in a wide range 
of conununications protocols , from FDDI to a simple 
telecommunications' line between two modems. In a 
network implementation, subsystem 30 provides only the 
5 encrypted filfe; workstation 4 0 provides the layers of 
protocol, needed for feliabre communication on network 

so : ; - — -• ; - : ' ■• • • • • • 

Fig. 3 provides niore detail of trusted path 
subsystem 30. Trusted path subsystem 30 consists of a 

10 processor 31 connected to a keyboard manager 37/ a video 
manager 3 & and cryptographic entity '35'. Trusted path 
subsystem 30 operates iri normal mode and in trusted path 
mode. When in normal mode, workstation trusted path 
subsystem 30 is transparent to workstation 40. Logibal 

15 switches 37 and 38 are iri the UP position, connecting 
workstation processor 4 0 directly to keyboard 20 and 
display 10. This permits the free transfer of 
information from keyboard 20 to workstation 40 atnd from 
workstation 40 to 'display i0. In normal mode, 

20 workstation processor 4 0 runs software and communicates 
with host computer 60 via network 50. 

When the user invokes trusted paith mode, 
however, workstation processor 40 is disconnected from 
keyboard 20 and display 10 by logical switches 37 and 

25 38 , respectively. Keyboardi 20 and display 10 are then 
connected to their respective managers in workstation 
trusted path sub&ysteiii 30. 

As is shown in Fig. 6/ while in trusted path 
mode, video manager 34 createW a trusted window 82 which 

30 is bvferlaid on ; the scireeri 'disjpiay 80 generated by 
workstation 40 for display ' 10 . Since c vindoi/ 8^2 i's 
created outside of workstation 40 / ; by^trustect Wlemehts , 
it is not p6ssibie ; for malic ibds" s6ft^ 

40 to' control- any of the video in°€rust^d a window 82^ In 
35 the preferred embodiment the size of trdstecf window 82 
can vary; if sufficient: video RAM is present; window 82 
may be as large as the entire display screen. 
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In a like manner, while in. trusted path mode, 
keyboard manager 36 intercepts keyboard data intended 
for workstation 40 • The data is then routed to 
cryptographic entity 35, where it is encrypted before 
5 being passed over auxiliary port 42 to workstation 

processing unit 40. Thus ^keyboard inputs are protected 
from eavesdropping and undetected modification until 
they are decrypted by cryptographic entity 69 on host 
computer 60. , . ; , r: . . . .-. t . : _ r ; , 

10 In. one embodiment of the trusted path subsystem 

of Fig. ,3, cryptographic entity 35 usqs a pair-wise key 
to encrypt data to be. transmitted from keyboard 20 to 
host computer 60.. At the same time, cryptographic 
entity 35 decrypts data transmitted from .host computer 

15.. 60 to display 10. The encryption a.nd integrity 

mechanisms protect the data from eavesdropping, and 
h undetected modification ,as it is passed through ( 
workstation processor 40 f . network 50 and host computer 
untrusted subsystem 63,. Other types of symmetric 

20 encrypt iont algorithms such as. the Data Encryption 

Standard (PES.), and asymmetric cryptographic techniques 
. such a3 public key can also be used. Furthermore the 
encryption algorithm can either be implemented in 
software, programmable hardware, or cus torn - hardware. 

25 Trusted path mode can be invoked in a number of 

ways. In one embodiment, a switch, on trusteed path 
subsystem 30 t can be used to manually activate trusted 
path mode., A second method, would be to, inyoke trusted 
path inpde .by. a combination of Jceys pressed T - : 

30 simultaneously on. Jcgybpaxd 20 (like the, 3 „. 

ppnl:rol/|all^/^l^.e -kfjf segwance on a PC-compatible. r . 
computer). ^;tl>;^ wpu Id require that the 

user insert some sort of token device into subsystem 30* 
A . tpken .dey4p.e. t jov^ smart card to a 

35 cryptoignitiprj. ..key:,- t In. the preferred. embodiment , _ 
subsystem 30 would also. have a feedback, mechanism such 
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as a light to notify the user 5 that subsystem 30 was in 
trusted path model' 

The trusted path mode, used in conjunction with 
cryptographic entity 69 on host computer 60, provides 
5 security services such as riser ' authentication , data 
confidentiality, data integrity and data origin 
authenticatiori and conf ineme'nt' of malicious software. 
The user is authenticated to trusted p^th subsystem 30 
and this authentication is securely passed to tiriisted 

10 subsystem 67 in "MLS computer 60. Data passed between 
cryptographic entities 35 and 69 is protected from J 
unauthorized disclosure arid undetected modification. 
Cryptographic entities 35 arid 69 alsb'assure that ' the 
data was sent from one cryptographic entity to its peer 

15 cryptographic device. In addition, malicious software 
on workstation 4 0, network 50 or untrusted subsystem 63 
is confined so that it cannot dupe the user or trusted 
subsystem 67 into performing an insecure' action. 

The user can be authenticated to the trusted 

20 computing system by either authenticating himself 
directly to trusted^ path subsystem 30 or by going 
through subsystem 30 to host computer 60 1 . In th£ first * 
method, the user can authenticate himself to subsystem 
30 Via such * means as a personal "identification number 

25 (PIN) , a password, biometiricS or a token device such as 
a smart card oir a dryptbgraphic ignition key. Once the 
"user 1 has authenticated himself to subsystem 30, 
subsystem 30 r relays the authentication to trusted 
subsystem 65. : < The step of relaying authentication can 

30 be done by either automatical!^ 

mode as part ' of the" autrietit^ process or by hciving 

subsystem 30 rela*y' the au'thdritic&tl^ at & later 

time. - r ~ v:} 1 - oa e ^ e 

A second method 1 for ^ 

35 be to first enter trusted path mode- a^rid" then - ' 
authenticate the user directly to" host Computer 60 . 
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This approach would reduce the processing power needed 
on subsystem 30. - t 

In its simplest form, trusted path subsystem 
30, in conjunction with workstation 40, display 10 and 
5 keyboard 20, forms an assured terminal. Data typed on 
keyboard 20 or extracted from a pointing device such as 
a mouse is encrypted and transferred.over network 50 to 
host computer 60. Screen display A data transferred from 
host computer 60 is decrypted and displayed within 

10 trusted window 82. Such a terminal might be; implemented 
as a relatively dumb terminal such as a VT100, or it 
could be implemented as a X Windows terminal. The X 
Window embodiment would be useful since it would allow 
the creation of multiple trusted windows 82 and would 

15 permit the assigning of a different security level to 
each window. Such a mechanism would permit qualified 
users to cut information from a document of one 
sensitivity and paste it into a document of a different 
sensitivity. 

20 An assured terminal is especially useful in an 

environment where you are trying to maintain a number of 
security levels despite having a workstation which will 
only operate at one level. An example is a trusted 
computing system mixing single level secure workstations 

25 with a multi-level computer with three security levels: 
unclassified (l^ast sensitive) , secret (much^more 
sensitive) , and top secret (most sensitive). Trusted 
path subsystem 30 can be used tot expand the r capabilities 
of the single level workstation, since subsystem 30. ,.. 

30 allows the user .to jessentially disable subsystem 30, do , 
all his work at, the level permitted by ; the workstation 
(say, secret) using ^1.1 t|ie, ; cagabiliti.es of his . , !: 
works J:a£io^,§p^ available on the 

rouitilexel^ . cpm^ute^ . fA Then 7; if . £.he f user has a small %? 

35 amount of work, tjiat ti^. pr fh^j needs to do at top secret, 
the user can, invoke trusted mode in subsystem 30, 
isolate their workstation, its, processor memory and 
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storage devices, and he has, in effect, a keyboard and a 
terminal connected to a secure communications device 
through a multilevel host. The user can then do the 
operations required at top secret. 
5 The cryptographic techniques applied in 

subsystem 30 wxll ensure that none of the top secret 
information going to or frbm the multilevel secure 
computer is linked to files within workstation 4 0 or is 
captured ahd copied on the network. 

10 J ~ r< Likewise , if a user tiaci to' do a small amount of 
unclassified work, he could put the workstation into 
trusted path mode using subsystem 30. The user could, 
through a trusted path, invoke an unclassified level and 
again the cryptographic techniques applied at 'each end 

15 of the link would prevent secret information from being 
mixed in with the unclassified information. The system 
essentially provides a pipe to keep data from one 
security level from being mixed into data at a different 
security level . 

20 Trusted subsystem 30 is not, however, limited 

to a role as an assured terminal^ In a file server 
application, files stored at host: computer 60 or within 
workstation 40 could be transferred to subsystem 30 for 
data processing tasks such ais editing, reviewing the 

25 file br* transferring it as electronic mail. In a client 
server '4pplicatibh, processor 31 could execute one or 
more " 61 ient processes such* as ail editor or a 
communications process.' Software and firmware" which 
could be implemented inside trusted path subsystem 30 

30 would be liihit^d drily 'by- "the aWaUht of storage within 
subsystenf 30° arid the * jreVieW arid app^bvai prbciesfs 
required' to provide clean sbttwk^.^ x 1 1 J ^ w ^ , 
Trusted ^ ^ 

to files bn host computer^ 60 1 b>ut alBB' on Workstation" 40 , 
35 Files transferred from either computed 50 or workstation 
40 can be manipulated and transferred to other computers 
or workstations* For example, a secure electronic mail 
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system could be implemented in which trusted path 
subsystem 30 is used for reviewing, , reclassifying, and 
electronically signing messages. . A document file from 
computer 60 or workstation 40 can be displayed and 
5 reviewed. If appropriate, the user may, downgrade its, 
sensitivity level by attaching, a different security 
level, to the document, .The finished, file can. then be, 
sent via electronic .mail to .other, users . - 

In onje embodiment of such an : electronic mail 

10 function, subsystem 30 would go out on the network to 
the directpry server to, retrieve the names, electronic 
mail addresses ancj public key information of the 
intended recipients. The directory server could be 
implemented as either a trussed or an untrusted process 

15 on host, computer 60 or on another network computer . 
Subsystem 30 would then attach the addresses to the 
file, affix a digital signature, encrypt the final 
product and send it .through host computer .60 to the 
designated addresses. ( 

20 r In another embodiment of such a function, in a 

system without a MLS computer, secure electronic mail is 
possible by first > establishing a trusted path from the 
user to processor 31. The user then accesses files.of 
workstation 40 (or on other network computers ) , displays 

25 and reviews the file, accesses an unsecured directory 
server, to retrieve the names , electronic mail addresses 
and public key information and sends, the encrypted v 
message via electronic mail to its recipient. ; 

Processor 31 can also .be used to control video 

30 manager . 34^ in order ^ tp, -implement and ppntrol^ the ..user 
interface* r Such n an .^proach ..would permit th,e ,us^ . pt a 
graphical V^s^r ..interf ace (;GUI f ), within - trusted , window : 82 
that wguj.d^^ t^he ..amount , pf screen information . 

traps furred , by -h^s ;.t^ coiupu ter 60 . This .approach also.;. 

35 permits the user to implement,- through .processor. 31,- 

multiple trusted windows ,82 at r th,e user node in order to 
perform the cut-and-past© function referred to- above. 
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In the" preferred embodiment, subsystem 30 is a 
modular design in which processor 31 and cryptographic 
entity 35 are kept constant and video manager 34 and 
keyboard manager 36 are designed so that they can be 
5 replaceid easily to handle different* displays and 

keyboards. In one embodiment; subsystem 30 is designed 
to be portable. ; A ! portkble ' subsystem 30 can be used to 
turn any modem equipped computer with ^t he requisite 
auxiliary dat^a' j^ort into a secure data 'terminal or 

10 computer. ' : ^ , : _ 

Fig, 4 is ^ block diagram representation of an 
alternate embodiment of 1 trusted patH subsystem 30. In 
Fig. 4, processor 31 is connected through network 1 
interface 39 to network 50 and through communication 

15 port 4 8 to workstation 40. In the embodiment shown in 
Fig. 4, workstation processing unit 40 is isolated from 
the network. This approach allows the encryption of all 
network traf f ic a^sodiat^d With the user node. In the 
embodiment shown in Fig. 4, communication port 48 can be 

20 a communication medium ranging from RS0232 to an 
unsecured Ethernet. " 4 " 

' A more detailed representation bf brie ' 1 ' 1 

embodiment of trusted path subsystem 30 is shbwh in Fig. 
5. In Fig. 5, keyboard logical switch 37 receives data 

25 frbm keyboard 20 arid routes it to processor 311 During 
normatl mode; processor 31 then sends the ' received 
keyboard data directly over keyboard port 46 to 
workstation 40. " JJ : " 
: ' xl In cdht±-ast, in trusted path mode, processor 31 

30 captures the received keyboard data and sertds it i:o 4 1 
cryptographic Writ ity : 35 tot erici?yf>t £ rig L iSo inf drmaition 
is sent over ; keybo ; afd pbrt 4 6 €6' l ^cH?ii£lEa££&ii 40; The 
resulting encrypted' keyboard "data itts4:eSd^s^t 
thirough auxiliary data port ^2 r tc?^ctf ^tatfiot : 4 6 ; arid 

35 from thetd to computer 60; ' v f " ' u*^^:; - : *■ - . 

Video data from workstation w 4 0 is transmitted 
frbm video port '44 to vidfeb manager 34. During normal 
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mode, the video data is sent through to display 10 
without modification. During trusted path mode, 
however, the video data transferred from video port 44 
is overlaid, at least in some part, ...by. video data 
5 generated by video manager 34. 

A representative video manager. 34 is shown 
generally, in Fig t . 5. : Video manager 34 consists of video 
.synchronization, hardware 72., video RAM 74, video driver 
78 and video, multiplexer 76. Videp ^synchronization 

10 hardware 72 receives synchronization signals from video ; 
port 44 and uses the signals to coordinate the display 
,of data from video RAM 74 with the display generated by 
workstation .4 0 . During normal mode data from video RAM 
,74 is not usjed; video is. .transferred directly from 

15 workstation 40 through video multiplexer 76 to display . 
10. When, however, trusted path subsystem 30 is placed 
into trusted path mode, video data, .stored .in video RAM 
74 is used instead. of the normal video stream to, create 
trusted window 82. ^ 

20 ( , In one embodiment synchronization hardware 72 

uses the .synchronization signals received from 
workstation 40 to control the reading of data from video 
RAM 74 and £ he conversion of. that data, into a video 
signal by video driver 78. , The putpoit of yideo driver 

25 78 is then used to drive video multiplexer 76. 

Synchronization hardware 72 controls, video multiplexer 
76 in order to. switch between , the video generated by 
workstation 40 and the video being read from yideo RAM 
74. The output of yideo multiplexer 76 ,is driven 

30 through video amplifier? to display t 10.. ^ v r > 

v ; %r „ The de^ig^of the video hardware needed to , , 
overlay one T displAV. on.tqp.of another is well known in 
t)ie r art*.. (i Window J|2,. 7 c^n. be sypchecl. up to the video ^gping 
, to .dismay L^lft-e^gT^g^c.aX^lyj/ if window, 82 is =not. full, 

35 screen, yid^o synchronization hardware 72 counts the 
number of lines to the r f irst lineof window 82> counts 
in the number of pixels , and inserts the video at that 
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point. Trusted path video data is then written for the 
desired number o£ -"pixels and video multiplexer 7 6 is 
switched back to normal video for the remainder of the 
video line. This mechanism provides flexibility in 
5 placement and sizing of window 82 oh screen 80. 

Video 1 multiplexer 76 can b^ built using a 
crosspoint vitteo switch 'such ais the MAX456 manufactured 
by Maxim Integrated Products ^ Video diata to and from 
the crosspoint video switch can be' buffered vising the 

10 MAX457 by Miaxim Integrated Products . Video RAM 7 4 can 
' be any commercial videb RAMV A typical video RAM is the 
MT42C8256 manufactured by Micron Technologies Inc. it 
should be obvious that the given design can be easily 
adapted for either a color or a black and white display 

15 or even for a bladk arid white overlay of a color 
display. ' 

In one embodiment, host computer 60 transniits , 
as encrypted packets, video data to "be displayed within t 
trusted window 82. The encrypted packets aire passed to 

20 processor 31 by workstation 40 and then on to encryption 
device 35 ♦ Encryption entity 3 5 ' decrypts the vided* data 
and places it into : video RAM 74 Synchronization ' 
hardware 72 then activates video multiplexer 7 6 and 
video RAM 74 in order to display the decrypted secure 

25 video data. ^ ' 

In a second embodiment (not shown), processor 
31 creates the video' overlay data and writes that ' data 
to videb RAM 7 ; 4. D-Lspiay of the data is as above* 

U: * " A trusted computing System based on unsecured, 

30 commercially available ; wofksta€i6nS f trusted path 

subsystems and iiiultllevel secure c^puter^ provides a 
powerful; highly secure comjdutirig ^^Sirorimertfc / "'The 
■ ! ability of such a- system - 1 o ^ ' fcorti^en^t^ ^br ^unsecured 

workstations allows the des icfriers ' J t5£ v such : sy£ tUfas ' to use 

35 the latest versiohs of comrnercMiTy Available hardware 
and software without " compromising \ lie Security of the 
system. ^ . r ^ 
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For instance, a user of a workstation may wish 
to edit a secret document and reclassify the edited 
document as unclassified. The document can be loaded 
into the workstation, edited with the user's favorite 
5 word processing software package, and saved. Then, in 
order to classify the document as unclassified, the user 
would invoke trusted path mode, the trusted window would 
be displayed and the user could review the revised 
document ^to verify that no additional information had 

10 been attached to the file. The reviewed document could 
then be released as an unclassified document and the 
user would then returns to normal mode. 

The unique placement of cryptographic entity 35 
relative to workstation 40 allows a single workstation 

15 to be used at .different levels of security sensitivity. 
Therefore, instead of systems in which a workstation is 
required for each level of security sensitivity, in the 
present system a single commercial workstation may be 
used to protect and access a range of security levels. 

20 Finally, the end-to-end characteristic of the 

encryption permits secure communication without the need 
to perform costly analysis of complex elements such as 
network controllers. .The invention also allows use of 
commercial off-the-shelf workstations and network 

2 5 components and can be used with a variety of keyboards 
and- displays. 

Although the present invention has been 
described with reference to the preferred embodiments, 
. those, skilled in the art will recognize that changes may 

30 be made in - form and detail without departing from the 
spirit and scqpe , ,o.f .the invention . 
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What is claimed is : 
1. A secure computing network, comprising: 

a network computer, wherein the computer comprises 
a trusted subsystem; and 
5 encryption means for encrypting and 

decrypting data transferred to arid from the 
trusted subsystem;' 
communications means, connected to the network 
computer, for permitting data tirahsfer between the 
10 network computer and' other computers; 
an input /output device; 
a workstation comprising: 

first communications interface means, 
connected to the conimiinicatibns means, f or 
15 transferring data between the workstation and 

the network computer ;' 

input/output device interface means for 
transferring data between the workstation and 
the input /output device; and 
20 second communications mdaris for 

transferring data between the* workstation and 
another processor; and 
trusted path means, inserted between the 
input/output' device and the input/oUtput device 
25 interface means and connected to the second 

communications means, for intercepting daita transfers 
between the' input /output device interface means and the 
input/output device, wherein the trusted path means 
comprises encryption means for encrypting and decrypting 
30 the data transfers atnd for r6utirig i such transfers 1 over 
the second communications means " to t^he trusteed 
subsystem . 

2. The secure computing network of claim 1 wherein the 
35 network computer is a multilevel secure computer capable 
of recognizing data of varying sensitivity and users of 
varying authorizations . 
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3. The secure computing network of claim 1 wherein the 
input /output device comprises a keyboard . 

5 4. The secure computing network of claim 1 wherein the 
input/output device comprises a ; display .device . 

5. The secure computing network of claim 1 wherein the 
input /output device comprises a pointing device;. 

10 ' ' ~ . " ' ' " ^ 

6. A secure computing network, comprising: 

: a I } etwor H computer ? wherein, the computer comprises 
a trusted subsystem; and 
encryption means for encrypting and 
15 decrypting data transferred to and from the 

trusted subsystem; ; 
communications means, connected to the network 
computer, for permitting data transfer between the 
network computer and other computers ; 
20 an input /output device; , 

. a workstation comprising: 

input/output device interface means for 
transferring data between, the workstation and 
the input/output device; and 
25 workstation communications means for * 

transferring data between the workstation and 
another prppessor ; and , . 

trusted path means , inserted, between , the 
input/output device and the input /output device 
30 interface m^ans and r connected to, the workstation - 

communicat i,ons m^a^, s J or ^intercepting., data trans f ers 
between the input/output device interface means and the 
input/output device, wherein the trusted path means 
comprises ©nqr^tji^. ^eap^ f or . enciypting and decrypting 
35 the data tr^ns^ network interface ; means r V 

connected to the communication means, for transferring 
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the encrypted data transfers between the trusted path 
means and the trusted subsystem. 

7. The secure computing network of claim 6 wherein the 
5 network computer i's a multilevel secure computer capable 

of recognizing data of varying Sensitivity and users of 
varying authorizations. 

8. The sSciif e fcbmputihg network of claim 6 wherein the 
10 input/output device comprises a keyboard. 

9. The secure computing network of claiin 6 wherein the 
input/output device comprises a display device. 

15 10. The secure computing network of claim 6 wherein the 
input/output device comprises a pbinting device. 

11. A trusted path subsystem capable of being connected 

between an input /output device and a processor of a 
20 workstation in order to provide secure communication 

with a multilevel secure computer network server, the 

subsystem comprising: 

input /output manager means for selectively 

intercepting, under user control, data transferred from 
25 the input /output device to the processor and from the 

processor to the input /output device; 

encryption means for encrypting 'the intercepted data 

before transferring the encrypted data to the processor; 

and : - ■ - - ' v * : ' 

30 decryptioh'meahs fbf decrypting the intercepted data 

before! ^ to the 

input /output device i r ^ - vo^uo v .s ■ 

< 12. The trusted path subsystem acc6^ 
35 wherein the input /output martager 'infeans 1 coitiprrses 

keyboard manager logic, Wherein ; theT keyboard manager 
logic comprises: 
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a keyboard interface which captures information 
generated by a keyboard ; and 

processing means for transferring the captured 
information to a workstation processor, wherein the 
5 processing means transfers the captured information on a 
first path when in a first rriode, and on 3 second path 
when in a second mode. 

13. The trusted path subsystem according . to claim 11 

10 wherein the input /output manager means comprises a video 
manager which; can ,be used to generate a trusted window 
overlay, on a , video screen, s wherein the video manager 
comprises: ... 

a video multiplexer having first anc? second input 

15 ports and an output port, wherein the first input port 

can be .connected to an external video signal and wherein 
the output pprt can be. connected to a video display; 
a video data^ memory; . „ , 

. converter means,, connected, to the video data memory 

20 and the, s,econcj multiplexer input port, for converting 
data read from the. yidea data memory into a trusted 
video. signal representative: of that, data and for 
applying the trusted video, signal to the second video 
multiplexer input port; and; 

25 video synchronization means, connected to the video 

data memory and the yi^eo multiplexer, for controlling 
the video data memory and the video multiplexer so as to 
insert the trusted video signal into the video .signal 
generated at the video multiplexer output port v 

14 . A method of securely transferring data in a network 
comprising an unsecured workstation connected to a 

f multilevel;. the . 

- : workstation compx^sest a processor and an iijput /output 
35 device and wherein the multilevel secure server ... , 

comprises a trusted subsystem and encryption means for 
encrypting and decrypting data transferred to and from 
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the trusted subsystem, the method comprising the steps 
of: 

providing trusted path means for providing a user 
selectable secure communications path between the 
5 input /output device and the trusted subsystem; and 

inserting the trusted path means between the 
input/output device and the processor. 

15. A method for providing secure file transfer 
10 capability on an unsebured works tat ion" connected over a ! 
network to a second computer, wherein the workstation 
comprises a workstation processor and an input/output 
device and wherein the second computer comprises a 
trusted subsystem and encryption means for encrypting 
15 and decrypting data ttarisf erred to and from the trusted 
subsystem, the method comprising the steps of: 

providing means for creating a trusted paitlt between 
the input /output device and a trusted subsystem, said 
trusted path means 1 including a trusted processor 0 capable 
20 of executing a secure electronic mail program;" - ' 1 ; 
: insert ingf the trusted path means be tweferr the 
input/output device ahd this workstation processor; 

downloading from the workstation processor to the 
trusted processor a file to be'* transferred to the second 
25 computer; v 

displaying, on the ihpiit /output device', a 
representation of the file to be transferred; 

if this file is as expected, transferring the file to 
the second 1 computer; and 
30 if the file is not as expected, generating an error 

message* 

16- The mettidiT according ^ of 
generating an' efiroi: includes a^W^i^^sSeciiredF* processing 
35 on the file, v '" ' " ; * '"' 1 
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